Security Descriptors and SIDs

WMI maintains access security by comparing the access token of the user that attempts to access a securable object with the security descriptor of the object.

When a user or group is created on a system, the account is given a security identifier (SID) The SID ensures that an account created with the same name as a previously deleted account does not inherit the previous security settings. An access token is created by combining the SID, the list of groups of which the user is a member, and the list of enabled or disabled privileges. These tokens are assigned to all processes and threads owned by the user.

Both the DACL and the SACL consist of a list of ACEs that describe which users have specific access rights, including writing to the WMI repository, remote access and execution, and logon permissions. WMI stores these ACLs in the WMI repository.

ACEs hold three types of access levels or grant/deny rights: allow, deny for DACL, and system audit (for SACLs). Deny ACEs precede allow ACEs in the DACL or SACL. When checking the user access rights, WMI runs consecutively through the access control list until it finds an allow ACE that applies to the requesting access token. The remaining ACEs are not checked after this point. If no appropriate allow ACE is found, then access is denied. For more information, see Order of ACEs in a DACL and Creating a DACL.